How to Measure and Manage Legal Risk
What is risk?
The informal notion of risk as the chance that something bad might happen is not a bad place to start defining risk. Better management requires a better definition though. We need to break risk into distinct parts that are measurable.
Risk is the probability of loss given an event
Mathematical precision is possible and desirable in some cases. Large financial firms, for example, have sufficient data about operational losses that they can build predictive models based on experience to measure risk. They are the exception.
To illustrate how we might define risk in statistical terms take the formula: R = p * LGE. In this case R stands for risk, p for Probability of Event expressed as a percentage, and LGE stands for Loss Given Event. LGE is a measurement of the financial harm from an event. LGE can include non-financial losses, but they must yield to measurement for the formula to quantify risk.
Most organizations do not have the data or resources (or confidence in) abstract models of risk. Organizations without statistically valid loss data can still measure and manage risk, particularly legal risk, by simply moving a few steps toward quantification, away from the "bad stuff" notion.
Risk under ISO 31000 offers an alternative approach
The traditional approach to risk suffers from another important deficiency. It focuses only on losses, presumably because the origins of risk models are in insurance (how much to charge for protection from "bad stuff"?) and credit risk (what happens if the borrower doesn't pay?).
In 2009, the International Organization for Standardization (ISO) released a fresh approach to risk and risk management: ISO 31000:2009 Risk management - Principles and guidelines.
ISO 31000 provides a new definition of risk that is especially useful for measuring legal risk. Risk is the "effect of uncertainty on objectives." Risk management then starts with identifying uncertainty and then evaluating effects (positive and negative).
Legal risk is difficult to measure. However, with the help of the ISO 31000 definition of risk, we can express legal uncertainties and then measure them and their potential effects. We may not achieve mathematical precision, but we can achieve better management.
Four types of legal risk
There are four broad categories of legal risk, or four areas of legal uncertainty: structural, regulatory, litigation, and contractual.
Litigation is the most discussed legal risk in organizations. Litigation is often public and always distracting. The range of events that cause litigation is broad: employee misconduct, accidents, product liability and so on. The list can seem endless.
When management meets with the lawyer to discuss "What is the chance we will lose this case and what are the likely damages," it is too late for risk management. Prior to litigation, we need to identify the areas of uncertainty that affect our objectives. Risk management is not fortune telling. Instead, we want to narrow the possible outcomes from particular events.
For example, a court case in an influential state invalidates a fee charged to consumers as an undisclosed interest charge subject to compensatory and punitive damages. Our organization charges a similar fee. However, the fee is charged a certain number of times and in known states. The statute in question carries known penalties. We have the building blocks to measure and manage legal risk from similar litigation.
Organizations invest significant sums to prevent litigation. It is helpful to weigh the cost of the risk management against the possible outcomes.
Contract risk is the most pernicious and difficult to track among legal risks. The traditional approach to contract risk focuses on a breach of contract by one party and the extra-contractual liabilities that might arise. This approach treats each contract individually and in isolation.
Most organizations focus their contract risk management strategy on drafting effective agreements. Quality contract drafting is necessary, but not sufficient to manage contract risk. There are cases where one contract can create significant risk, such as:
- An exceptional share of revenue is tied to one contract,
- Procurement or service contracts for critical components allow for disruption or price escalation, and
- The counterparty does not indemnify us for damages that carry exceptional consequences like unpaid taxes and environmental problems.
In most cases, however, individual contracts often do not, on their own, have the gravity of litigation. The substantive, common and difficult to track risk is the uncertainty that arises from the contract portfolio in its entirety. Systemic under-management of contracts creates expense leakage and missed revenue opportunities.
The growth of the administrative branch of government is daunting to most business leaders. Regulatory risk represents the uncertainty of the consequences of an agency's action.
A few examples will illustrate the point:
- A transportation company applies for a license to expand its operations to a new hub. Uncertainty regarding the agency's decision as well as the scope of the decision create risk. Under ISO 31000 the agency's decision can have positive effects, but the uncertainty creates risk.
- A product manufacturer and distributor offers a novel product warranty to generate additional revenue. State insurance commissioners can determine that the warranty should be classified as insurance. They can then impose fines, require insurance applications, impose conditions on the product and pursue civil remedies depending on the state statue.
Identification of regulatory risks is challenging, but the uncertainty about the effects is measurable. Regulations grant powers to the agencies charged with enforcement of the statute and regulations. Penalties range from fines to administrative orders.
Structural legal risk is rare for most organizations. Structural legal risks arise from uncertainty about the underpinnings of a particular industry, technology or method of doing business. When the airline industry was regulated, for example, there was a structural legal risk that the industry would be deregulated.
The scope of a structural legal risk is broad and it usually alters the competitive landscape.
Structural legal risks can arise from sources other than legislation. Antitrust litigation can significantly alter pricing in an industry or key business relationships. Consumer protection enforcement actions can also change the fundamental assumptions of an industry, but rendering a marketing practice (multi-level marketing, for example) unacceptable.
Structural legal risk is also a good example of the ISO 31000 definition of risk. We can be uncertain about the change from a regulated to a deregulated industry. The potential effects are varied, some are positive; some are negative. A structural change can benefit one organization while harming another.
Effective risk identification
To identify risks reliably requires a workable definition of risk. The ISO 31000 definition of risk usefully includes "positive risks." This is right lens for identifying legal risks and, ultimately, managing legal risks.
Risk in an information problem. We can manage risk when we understand the scope and components of our uncertainty. The approach to risk can guide the organization to develop a risk management strategy.
What is your legal risk tolerance?
When it comes to legal risk many organizations implicitly adopt a "zero tolerance" policy. Unfortunately, "zero tolerance" does not create zero risk. The zero tolerance preference is counterproductive, because it leads to the misallocation of precious risk management resources. This article outlines how to establish a risk tolerance policy within your organization's context so that we can better measure and manage legal risk.
What is a legal risk tolerance policy?
Put simply, a legal risk tolerance policy is an explicit acknowledgement of the level of risk and types of risks that an organization will accept with little or no treatment. Risk is the "effect of uncertainty on objectives" under ISO 31000.
The effects of legal risks can be sweeping. ISO 31000 allows us to include a variety of consequences in our risk calculation. While some important consequences are not financial, this article focuses on the financial aspects of legal risks for two reasons. First, financial examples illustrate the process of establishing a risk tolerance policy. Second, people charged with managing legal risk - lawyers, contract managers, and the like - often struggle to communicate the value of preemptive legal risk management to the organization.
Why is risk tolerance important?
An explicit legal risk tolerance policy achieves two objectives. First, it saves the organization money by calibrating the cost of risk treatment under ISO 31000. The organization cannot know how much to spend on preventative risk management if it does not have a target for acceptable risk.
Second, the legal risk tolerance policy improves organizational efficiency. For example, it is not unusual for sales executives to complain about revenue deals held up in legal. If both sides understand the organization's tolerance for risk, then sales executives and lawyers can collaborate on the contract in a meaningful way.
How to plot legal risk events?
To illustrate the role a risk tolerance policy plays, we will plot ten risk events. This image presents the risk events graphically. The vertical scale (Y axis) measures the consequences in financial terms. Apply the multiplier appropriate for your organization: 100's, 1,000's, or 1,000,000's. The scale is arbitrary, adapt it to your risks and organization. The horizontal scale (X axis) represents the probability as a percentage. A precise measurement of probability for legal risks is quite difficult for most organizations.
However, using probability instead of likelihood better clarifies risk tolerance. A subsequent article will discuss how to determine the values for consequences and probability. The size of the risk events (circles) is the product of the consequence and the probability for each risk. Notice, for example, that the far left risk is smaller than the far right event, even though the financial loss (consequence) is potentially almost double. The reason is probability.
True, this event might cost the organization $800 (or $800,000 or $8,000,000, etc) but there is a less than 5% probability of the event. The risk event on the far right, on the other hand, is almost 80% likely to occur. The risk is greater.
With the risk events plotted, we can examine three different approaches to risk tolerance. Imagine that three companies face identical risks, but each company has its own risk tolerance policy.
Company A: Low risk tolerance
Company A has a low risk tolerance policy. Any event above or to the right of the sloping line represents a risk that Company A will actively prevent or treat. Conversely, events to the left or below the line are "tolerable," meaning that the organization can absorb them financially and culturally.
If the company can tolerate about $150 (or $150,000 or $1,500,000 and so on) in losses, then we draw the line between acceptable and unacceptable risks as shown. In this example, then there are three tolerable risks. Risk tolerance is a guideline, not a bright line, as demonstrated by the line splitting some risks.
Company B: Medium risk tolerance
Company B can tolerate slightly more risk. Company B can endure about $210 in risk and draws the line as shown.
Company C: High risk tolerance
Company C, however, demonstrates a much higher level of risk. They draw the line at about $760 in losses.
At first glance, Company C looks foolish. More than half the identified risk events will go untreated or receive little management time. However, context matters. There is much we do not know about all three companies.
What level of risk tolerance is best?
Which of the three companies adopts the best risk tolerance policy? Here, ISO 31000 shines. The answer, of course, is that it depends on the context. Context in ISO 31000 comes in two flavors: external and internal. ISO 31000 gives organizations wide latitude to design what is relevant context. External context can include, for example, cultural, social and regulatory factors as well as relationships with stakeholders. Internal context covers strategies, objectives, capabilities and contractual relationships, among other factors. The context is important, not as an abstract concept, but to help us define the organization's risk criteria.
Risk criteria allow the organization to evaluate and compare risks. The cost of risk treatment is measured against the level of the risk with the risk criteria. Risk criteria impose consistency on how an organization identifies and measures each element of a risk. In the examples here, there are only three risk criteria:
- Likelihood is measured as a percentage probability,
- Consequence is exclusively a financial loss (not a profit), and
- Risk is the product of the two with no other considerations.
In other words, these examples are not realistic because they ignore factors that organizations consider all the time.
Cost of risk treatment
These examples do, however, highlight an important element of a risk management strategy: the cost of risk treatment. Company A might claim that they "cannot afford the risks" above the line, but it is not clear that they can afford the risk management required to draw line left and down.
As a simple example, Company A will have higher (maybe much higher) insurance costs. They will purchase coverage for more events at higher coverage amounts. For risks that are not insurable, Company A will invest more in technology, training, reporting, management oversight. These investments can reduce investments in revenue generating activity.
How to set risk tolerance policy?
While it is true that risk is about more than just money, it is important to clarify risk in financial terms. It is possible to criticize ISO 31000 as opening the discussion of risk too broadly to justify almost any or no action. This criticism is ultimately unfair. When it comes to legal risk, in particular, it is best to measure the financial implications of risk. We can then turn our attention to cultural and political considerations.
Legal risks in a financial context
Legal risks are rarely viewed collectively and even less frequently in the context of the organization's financial objectives. Risk managers, contract managers and lawyers often view no legal risk as tolerable. Sales executives and business leaders often just want to "get the deal done." How does an organization balance these opposing views? The risk tolerance policy is critical. But how do we pick a number (assuming for the moment this narrow focus on financials)?
Recall that ISO 31000 defines risk as the effect of uncertainty on objectives. Organizations, departments and teams all have objectives. Let's use the highest level for discussion: the five year strategic plan, particularly the financials.
The strategic plan
Here are hypothetical (simplistic and likely unrealistic) projections for a five year strategic plan. The plan results in an annual increase in revenue of 4% and a reduction in expenses of 4%. The organization wants to move from a slow growing company with 5% operating margins to a growing organization with 36% operating margins. Each part of the organization is responsible for various components of the plan to achieve those objectives.
Apply the risks to the plan
Let's assume that for each year of the plan the identified risks can reduce revenue by just 0 - 5%, after the planned growth. For example, key sales contracts might get renewed or a major distributor is lost. Let's further assume that in each year risks impose between 0 - 5% of addition costs, after the planned reductions:
- Price increases occur despite the contract, because no one monitors the contract adequately,
- Regulators deem warranty contracts are actually insurance policies imposing regulatory fines, and
- A key vendor defaults and a replacement vendor is expensive on short notice.
One scenario is illustrated here:
The cumulative effect of these risks would reduce the company's valuation by 21%, assuming valuation is based on a 5.0x multiple of EBITDA.
The first scenario shows just the effect of expense related risks. The second scenario shows the effect of both revenue and expense risks on corporate valuation. This context allows us to measure and manage legal risks that are important to the organization.
What is the value of legal risk management?
The examples in this article are artificially precise by design. They meant to illustrate a method of establishing a consistent, useful legal risk tolerance policy. With that policy in hand, we can calibrate risk treatment measures and communicate the value of legal risk management throughout the organization.